Summary

Impact

This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. [1]

This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. [1]

Vulnerable

Drupal 7.x

Drupal 8.x

Recommendations

If you are running 7.x, upgrade to Drupal 7.59. [1]

If you are running 8.5.x, upgrade to Drupal 8.5.3. [1]

If you are running 8.4.x, upgrade to Drupal 8.4.8. ("Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.") [1]

If you cannot upgrade to the recommended release right away, temporary fixes are available. See the SA-CORE-2018-004 advisory for details. [1]

Open Berkeley sites hosted at Pantheon were already patched by the Web Platform Services team on April 25th, 2018. [2] [3]

If you operate your own Drupal site (that is not hosted with the Open Berkeley/Pantheon turnkey solution), you must upgrade immediately.